Manual Chapter : Applying a Pre-built Cipher String for SSL Negotiation

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP APM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP Analytics

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP Link Controller

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP LTM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP PEM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP AFM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP DNS

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0

BIG-IP ASM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Manual Chapter

Applying a Pre-built Cipher String for SSL Negotiation

Overview: Using a pre-built cipher string

Before the BIG-IP system can process SSL traffic, you'll need to define the cipher string you want the system to use when negotiating security settings with client or server systems. Typing a raw cipher string on the system is tedious and can easily contain typos. It can also be unsecure, since the cipher string could inadvertently cause the system to negotiate in a way that you didn't intend.
To solve these problems, you can use a pre-built cipher string, known as a cipher group. A
pre-built cipher group
is a named set of cipher suites (known as a
cipher rule
) and a set of instructions that the system uses to create the final cipher string for SSL negotiation.
All pre-built cipher groups are available on the BIG-IP system, and you can assign any one of these cipher groups to a Client SSL or Server SSL profile. They are:
  • /Common/f5-default
  • /Common/f5-aes
  • /Common/f5-ecc
  • /Common/f5-hw_keys
  • /Common/f5-secure
For example, this illustration shows the pre-built cipher group named
/Common/f5-ecc
. This cipher group contains the cipher rule of the same name (
/Common/f5-ecc
), which contains the cipher string
ECDHE:ECDHE_ECDSA
(not shown). The cipher group is configured to allow the contents of the cipher rule into the final cipher string. You can see a preview of the resulting cipher string in the Cipher Audit area of the screen:

About BIG-IP cipher support

The BIG-IP system includes a default cipher string named DEFAULT, which contains a subset of the cipher suites that the BIG-IP system supports.
The full set of cipher suites that the BIG-IP system supports are contained in the NATIVE cipher string. The cipher suites contained in both the DEFAULT and NATIVE cipher string are eligible for hardware acceleration.
The BIG-IP system supports a large set of cryptographic parameters that you can use to modify how the BIG-IP manages SSL/TLS connections.
For TLS 1.2 and TLS 1.3, you can configure all or some of the cryptographic parameters:
  • Ciphersuites.
  • Key exchange algorithms, for example RSA, DH, or ECDHE.
  • Signature algorithms, for example RSA or ECDSA.
  • Encryption primitives, for example AES128 or CAMELLIA.
  • Hash algorithms, for example SHA256.
  • Message authentication codes, for example HMAC-SHA256 or HMAC-SHA384.

Task summary for configuring a pre-built cipher string

There are a few tasks you need to perform to configure a pre-built cipher string that the system will use for SSL negotiation.
This illustration shows the order that you need to perform these tasks in.

Confirm the ability to use a pre-built cipher group

Before you configure a cipher string for the BIG-IP system to use in SSL negotiations with client or server systems, you need to determine whether you can use a pre-built cipher group or whether you'll need to create a custom cipher group. You do this by viewing each pre-built cipher group on the system..
  1. On the Main tab, click
    Local Traffic
    Ciphers
    Groups
    .
    The screen displays a list of pre-built cipher groups.
  2. In the Name column, click the name of a cipher group.
    For example, click
    /Common/f5-ecc
    .
  3. In the
    Available Cipher Rules
    list, find the corresponding cipher rule and click the plus sign to view the cipher suites included in the rule.
    For example, this shows the cipher suites included in the pre-built cipher rule named
    /Common/f5-ecc
    .
  4. Click Cancel.
  5. As an option, you can repeat this task for any other pre-built cipher groups.
After doing this task, if you found no pre-built cipher group containing all of the cipher suites you need for your cipher string, you'll need to create your own custom cipher group instead.

Specify a cipher group within an SSL traffic filter

Before starting this task, make sure that the relevant traffic filter for managing SSL traffic (either a Client SSL or Server SSL profile) exists on the BIG-IP system.
You specify the cipher string that the BIG-IP system uses to negotiate security settings with a client or server system, by assigning a cipher group to a Client SSL or Server SSL profile.
  1. On the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    or
    Local Traffic
    Profiles
    SSL
    Server
    .
    The Client SSL or Server SSL profile list screen opens.
  2. Click the name of a profile.
  3. From the
    Configuration
    list, select
    Advanced
    .
  4. On the right side of the screen, select the
    Custom
    check box.
  5. For the
    Ciphers
    setting, click
    Cipher Group
    and from the list, select a cipher group.
  6. Click
    Update
    .

Activate a cipher string for an application flow

Before starting this task, make sure that the virtual server for the relevant SSL application flow exists on the BIG-IP system.
You activate a cipher string for a specific application flow by assigning a Client SSL or Server SSL profile (or both) to a virtual server. This causes the BIG-IP system to use the cipher group specified in the profile to build the cipher string for negotiating security settings for SSL connections.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of a virtual server.
  3. From the
    Configuration
    list, select
    Advanced
    .
  4. For the
    SSL Profile (Client)
    and the
    SSL Profile (Server)
    settings, from the
    Available
    list, select the name of the SSL profile you previously created, and move the name to the
    Selected
    list:
    Using the
    SSL Profile (Server)
    setting is optional.
  5. Click
    Update
    to save the changes.
The BIG-IP system now uses the cipher group specified in an SSL profile to build a cipher string to use when negotiating security for the relevant application flow.